Apple has released security updates for macOS that patches a flaw in its privacy preferences and “may have been actively exploited”, according to Apple and which could have allowed malicious apps to record a Mac’s screen
It’s a rather large update addressing 73 vulnerabilities, including one in Transparency Consent and Control (TCC) framework, which allows malware to bypass system privacy controls. Apple addressed the TCC bypass in macOS Big Sur version 11.4.
“Apple is aware of a report that this issue may have been actively exploited,” it said of the bug CVE-2021-30713 affecting TCC.
SEE: Network security policy (TechRepublic Premium)
TCC provides the dialog prompts for security and privacy sensitive actions, such as an application recording a computer’s screen, or when giving apps access to the webcam and microphone.
Security firm Jamf has posted a report on the bug and says it found the bypass being actively exploited while analyzing the XCSSET malware.
“The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” it said.
In August, Trend Micro found XCSSET was targeting Mac developers via infected Xcode projects.
The malware finds an app on the system and piggybacks on it, inheriting its permissions.
“During Jamf’s testing, it was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app,” Jamf noted.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent – which is the default behavior.”
Apple also released security fixes in the iOS 14.6 update for iPhones and iPads, which included 30 security fixes.
SEE: This malware has been rewritten in the Rust programming language to make it harder to spot
The UK’s National Cyber Security Centre (NCSC) contributed one vulnerability report for the bug CVE-2021-30715, which allowed a maliciously crafted message to create a denial of service on an iOS device.
Apple’s May 24 updates include Safari 14.1.1, which fixes 10 security flaws that could be exploited by malicious websites.